The dark side of the web an open proxy s view
1 / 24

The Dark Side of the Web: An Open Proxy’s View - PowerPoint PPT Presentation

  • Uploaded on

The Dark Side of the Web: An Open Proxy’s View. Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming Pang, Larry Peterson Princeton University. Origins: Surviving Heavy Loads. Surviving flash crowds, DDoS attacks Absorb via massive resources Raise the bar for attacks Tolerate smaller crowds

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' The Dark Side of the Web: An Open Proxy’s View' - arion

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
The dark side of the web an open proxy s view

The Dark Side of the Web:An Open Proxy’s View

Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming Pang, Larry Peterson

Princeton University

Origins surviving heavy loads
Origins: Surviving Heavy Loads

  • Surviving flash crowds, DDoS attacks

  • Absorb via massive resources

    • Raise the bar for attacks

    • Tolerate smaller crowds

    • Survive larger attacks

  • Existing approach:

    Content Distribution Networks

CoDeeN Security - HotNets II

Building an academic cdn
Building an Academic CDN

  • Flash crowds are real

  • We have the technology

    • OSDI’02 paper on CDN performance

    • USITS’03 proxy API

    • PlanetLab provides the resources

  • Continuous service, decentralized control

  • Seeing real traffic, reliability, etc

    • We use it ourselves

    • Open access = more traffic

CoDeeN Security - HotNets II

How does codeen work
How Does CoDeeN Work?

  • Server surrogates (proxies) on most North American sites

    • Originally everywhere, but we cut back

  • Clients specify proxy to use

    • Cache hits served locally

    • Cache misses forwarded to CoDeeN nodes

      • Maybe forwarded to origin servers

CoDeeN Security - HotNets II

How does codeen work1

Cache miss



Cache Miss

Cache hit

Cache miss


Cache hit



How Does CoDeeN Work?


CoDeeN Proxy

Each CoDeeN proxy is a forward proxy, reverse proxy, & redirector

CoDeeN Security - HotNets II

Steps for inviting trouble
Steps For Inviting Trouble

  • Use a popular protocol

    • HTTP

  • Emulate a popular tool/interface

    • Web proxy servers

  • Allow open access

    • With HTTP’s lack of accountability

  • Be more attractive than competition

    • Uptime, bandwidth, anonymity

CoDeeN Security - HotNets II

Hello trouble
Hello, Trouble!

  • Spammers

  • Bandwidth hogs

  • High request rates

  • Content Thieves

  • Worrisome anonymity

    Commonality: using CoDeeN to do things they would not do directly

CoDeeN Security - HotNets II

The root of all trouble

No End-To-End


The Root of All Trouble

CoDeeN Proxy




(Malicious) Client

CoDeeN Security - HotNets II


  • SMTP (port 25) tunnels via CONNECT

    • Relay via open mail server

  • POST forms (formmail scripts)

    • Exploit website scripts

  • IRC channels (port 6667) via CONNECT

    • Captive audience, high port #

CoDeeN Security - HotNets II

Attempted smtp tunnels day
Attempted SMTP Tunnels/Day

CoDeeN Security - HotNets II

Bandwidth hogs
Bandwidth Hogs

  • Webcam trackers

    • Mass downloads of paid cam sites

  • Cross-Pacific traffic

    • Simultaneous large file downloads

  • Steganographers

    • Large files small images

    • All uniform sizes

CoDeeN Security - HotNets II

High request rates
High Request Rates

  • Password crackers

    • Attacking random Yahoo! accounts

  • Google crawlers

    • Dictionary crawls – baffles Googlians

  • Click counters

    • Defeat ad-supported “game”

CoDeeN Security - HotNets II

Content theft
Content Theft

  • Licensed content theft

    • Journals and databases are expensive

  • Intra-domain access

    • Protected pages within the hosting site

CoDeeN Security - HotNets II

Worrisome anonymity
Worrisome Anonymity

  • Request spreaders

    • Use CoDeeN as a DDoS platform!

  • TCP over HTTP

  • Non-HTTP Port 80

    • Access logging insufficient

  • Vulnerability testing

    • Low rate, triggers IDS

CoDeeN Security - HotNets II

Goals real otherwise
Goals, Real & Otherwise

  • Desired: allow only “safe” accesses

  • Ideally

    • An oracle tells you what’s safe

    • “Your” users are not impacted

  • Open proxies considered inherently bad

    • NLANR requires accounts, proxy-auth

    • JANET closed to outsiders

  • No research in “partially open” proxies

CoDeeN Security - HotNets II

Privilege separation









Privilege Separation







CoDeeN Security - HotNets II

Rate limiting
Rate Limiting


  • 3 scales capture burstiness

  • Exceptions

    • Login attempts

    • Vulnerability tests



CoDeeN Security - HotNets II

Other techniques
Other Techniques

  • Limiting methods – GET, (HEAD)

    • Local users not restricted

  • Sanity checking on requests

    • Browsers, machines very different

  • Modifying request stream

    • Most promising future direction

CoDeeN Security - HotNets II

By the numbers
By The Numbers…

  • Running 24/7 since May, ~40 nodes

    • Over 400,000 unique IPs as clients

    • Over 150 million requests serviced

    • Valid rates up to 50K reqs/hour

    • Roughly 4 million reqs/day aggregate

    • About 4 real abuse incidents

  • Availability: high uptimes, fast upgrades

CoDeeN Security - HotNets II

Daily client population count
Daily Client Population Count

CoDeeN Security - HotNets II

Daily request volume
Daily Request Volume

CoDeeN Security - HotNets II

Monitors other venues
Monitors & Other Venues

  • Routinely trigger open proxy alerts

    • Educating sysadmins, others

  • Really good honeypots

    • 6000 SMTP flows/minute at CMU

    • Spammers do ~1M HTTP ops/day

  • Early problem detection

    • Failing PlanetLab nodes

    • Compromised university machines

CoDeeN Security - HotNets II

Lessons directions
Lessons & Directions

  • Few substitutes for reality

    • Non-dedicated hardware really interesting

    • Failure modes not present in NS-2

  • Stopgap measures pretty effective

    • Very slow arms race

    • Breathing time for better solutions

  • Next: more complex techniques

    • Machine learning, high-dim clustering

CoDeeN Security - HotNets II

More info
More Info


Intel, HP, iMimic, PlanetLab Central

CoDeeN Security - HotNets II